07 - Adding Lets-Encrypt Certificates¶
With TrueNAS SCALE, it's possible to automatically generate certificates for your domain(s) using letsencrypt. However, this process is not very self-explanatory. After you managed to complete this how-to, you should be able to select "iX Certificate" as certificate option and your personal certificate in the other drop-down box!
To use iX Certificates with letsencrypt there are a few requirements: - Preferably use a DNS server that doesn't have any caching (no local DNS server) for your TrueNAS system. - Have an email address entered for your TrueNAS SCALE
root user. (this email will also be used for letsencrypt reminder!) - Own a domain name - Use either Cloudflare or AWS Route53 for your domain. (In case you wonder: Using Cloudflare as DNS provider is free) - Have an active internet connection so TrueNAS SCALE can contact Cloudflare or AWS to verify your domain ownership
Credentialsin the Left side menu and go the
ACME DNS-Authenticators, select
ACME DNS-Authenticatorsto open the menu for adding your DNS provider for domain verification.
Enter the required information and click
save. For Cloudflare you need either a global API-Key or a limited-scope API token. Please refer to cloudflare and/or AWS on how to get the required credentials.
Certificate Signing Requests, select
Certificate Signing Requeststo open the menu for adding the domain information you want a certificate for.
- Enter all information required in the wizard and save it. If you are not sure, the defaults are almost always "alright", because most of what you enter here is completely ignored by Letsencrypt.
Common Namein this case means
Primary domain name, whereas
Subject Alternate Namesmeans
Extra domain names.
Notice your new
Certificate Signing Requestshowing up in the box below
Certificate Signing Requests. Also notice the small
wrenchicon to the right of your
Certificate Signing Request
Click the small
wrenchicon, this will open the
Create ACME Certificatemenu. In this menu we can actually request either a real (Production) certificate or a testing (staging) certificate from Letsencrypt. For clarity, it's advisable to use the same Authenticator for all domain names. However: It's okay to generate both a testing and a staging certificate for the same domain.
After saving and awaiting the generation process, you should end up with another
Certificate Signing Requestand a new
Certificates, this new
Certificate Signing Requestis used to renew your
Certificatein the future and should not be deleted!